EP1977342A1 - Analyzing interpretable code for harm potential - Google Patents
Analyzing interpretable code for harm potentialInfo
- Publication number
- EP1977342A1 EP1977342A1 EP06848320A EP06848320A EP1977342A1 EP 1977342 A1 EP1977342 A1 EP 1977342A1 EP 06848320 A EP06848320 A EP 06848320A EP 06848320 A EP06848320 A EP 06848320A EP 1977342 A1 EP1977342 A1 EP 1977342A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- command unit
- computer
- code
- interpretable
- accordance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
- G06F8/433—Dependency analysis; Data or control flow analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- computing systems have revolutionized the way we work and play.
- Computing systems come in a wide variety of forms including laptop computers, desktop computers, personal digital assistants, telephones, and even devices that have not been conventionally associated with computing systems such as, for example, refrigerators and automobiles.
- Computing systems may even comprise a number of constituent computing systems interconnected via a network. Thus, some computing systems may be small enough to fit in the palm of the hand, while others are spread over much of the globe.
- computing systems are composed of hardware and software.
- the hardware includes most fundamentally at least one processor and memory.
- the software includes instructions that may be embodied in the memory or in storage, and that can be accessed and executed by the processor(s) to direct the overall functionality of the computing system. Thus, software is critical in enabling and directing the functionality of the computing system.
- a human being programmer In order to construct software, a human being programmer first writes code that conforms to a programming language that contains syntax and semantics that are human readable and intuitive to a human being. Such code is referred to as "source code". While the source code is intuitive for a programmer that is properly educated on the programming language followed by the source code, the source code is not directly understood by the processors of the computing system. Instead, the source code must be transformed into computer-executable instructions that are directly executable by the processor(s) in a manner that the execution causes the processor(s) to direct the functionality specified in the source code.
- interpretable code such as script or interpretable binary
- this transformation is accomplished at run-time using a component referred to as an "interpreter”.
- IT Information Technology
- interpretable code is widespread and is an important element of most Information Technology (IT) operations. For instance, if a certain fix is required, a script or other interpretable code may be generated to accomplish the fix. Scripts can be easily generated by anyone familiar with the script language. This has resulted in a large number of scripts being widely available for distribution and use. [0005J Often, the script is published along with a description of what the script accomplishes. Unfortunately, the script may perform harmful functionality instead of and/or in addition to the advertised functionality.
- script Since script is so easily generated and widely distributed, prudence warrants the careful consideration of whether or not the script has harmful effects either inadvertently or even maliciously caused by the scripts' authors. Thus, it is important to examine the script itself to understand what the script does before running the script.
- Embodiments of the present invention relate to a computerized facilitation of an assessment of risk associated with running interpretable code.
- the interpretable code under evaluation is parsed to identify a command unit within the interpretable code.
- One or more risk factors associated with the identified command unit is then identified using the parsed code.
- a report is then made of including identification of the command unit found in the interpretable code along with the identified associated one or more risk factors.
- Figure 2 schematically illustrates a processing flow in which various components operate to facilitate an assessment of risk associated with running interpretable code in accordance with one aspect of the principles of the present invention
- Figure 3 illustrates a flowchart of a method for facilitating an assessment of risk associated with running interpretable code in accordance with one aspect of the principles of the present invention.
- Embodiments of the present invention extend to the computerized facilitation of an assessment of risk associated with running interpretable code.
- the interpretable code under evaluation is parsed to identify a command unit within the interpretable code.
- One or more risk factors associated with the identified command unit is then identified using the parsed code.
- a report is then made including identification of the command unit found in the interpretable code along with the identified associated one or more risk factors.
- FIG. 1 shows a schematic diagram of an example computing system 100 that may be used to implement features of the present invention.
- the described computing system is only one example of such a suitable computing system and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Neither should the invention be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in Figure 1.
- Computing systems are now increasingly taking a wide variety of forms.
- Computing systems may, for example, be handheld devices, appliances, laptop computers, desktop computers, mainframes, distributed computing systems, or even devices that have not conventionally considered a computing system.
- the term "computing system” is defined broadly as including any device or system (or combination thereof) that includes at least one processor, and a memory capable of having thereon computer-executable instructions that may be executed by the processor.
- the memory may take any form and may depend on the nature and form of the computing system.
- a computing system may be distributed over a network environment and may include multiple constituent computing systems.
- a computing system 100 typically includes at least one processing unit 102 and memory 104.
- the memory 104 may be system memory, which may be volatile, non-volatile, or some combination of the two.
- volatile memory includes Random Access Memory (RAM).
- non-volatile memory include Read Only Memory (ROM), flash memory, or the like.
- ROM Read Only Memory
- memory may also be used herein to refer to non-volatile mass storage such as physical storage media. Such storage may be removable or non-removable, and may include (but is not limited to) PCMCIA cards, magnetic and optical disks, magnetic tape, and the like.
- module can refer to software objects or routines that execute on the computing system.
- the different components, modules, engines, and services described herein may be implemented as objects or processes that execute on the computing system (e.g., as separate threads). While the system and methods described herein may be implemented in software, implementations in hardware, and in combinations of software and hardware are also possible and contemplated.
- embodiments of the invention are described with reference to acts that are performed by one or more computing systems. If such acts are implemented in software, one or more processors of the associated computing system that performs the act direct the operation of the computing system in response to having executed computer-executable instructions.
- An example of such an operation involves the manipulation of data.
- the computer-executable instructions (and the manipulated data) may be stored in the memory 104 of the computing system 100.
- Computing system 100 may also contain communication channels 108 that allow the computing system 100 to communicate with other computing systems over, for example, network 110.
- Communication channels 108 are examples of communications media.
- Communications media typically embody computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and include any information-delivery media.
- communications media include wired media, such as wired networks and direct-wired connections, and wireless media such as acoustic, radio, infrared, and other wireless media.
- the term computer-readable media as used herein includes both storage media and . communications media.
- Embodiments within the scope of the present invention also include computer-readable media for carrying or having computer-executable instructions or data structures stored thereon.
- Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer.
- Such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.
- Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions.
- Figure 2 illustrates a general process flow 200 in which various components operate to facilitate an assessment on risk associated with running interpretable code such as interpretable code 201.
- the interpretable code may include one or more command units.
- the interpretable code 201 of Figure 2 is illustrated as including two command units 202A and 202B, although the interpretable code 201 may include other numbers of command units as well as represented by the ellipses 202C.
- interpretable code may include hundreds or even thousands of commands.
- the interpretable code is shown as including only two command units.
- the interpretable code may be interpretable text code such as script, or may be interpretable non-text code.
- the command unit may be a single command with or without one or more associated parameters.
- a command unit may include a single command to delete a file, with optionally a parameter representing the type of file to delete (e.g., text file, configuration file, executable file).
- the command unit may be a sequence of commands. For example, create file A, then delete file A might be one such sequence.
- Each command in the sequence may include one or more associated parameters.
- Figure 3 illustrates a flowchart of a computer-implemented method 300 for facilitating an assessment of risk associated with running interpretable code. As the method 300 may be performed using the general processing flow 200 of Figure 2, the remainder of Figure 2 will now be described with frequent reference to Figure 3.
- a parsing component 210 receives and parses through the interpretable code to identify one or more command units within the interpretable code (act 310).
- the parsing component 210 may be part of a computer program product.
- the computer program product may have one or more computer-readable media having thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing
- the parsing component identifies the command units in a parse tree 211.
- Mechanisms for parsing through interpretable code to generate a parse tree are known in the art and thus will not be described in detail herein.
- An analyzer 220 accesses the parse tree 211 to identify one or more command units.
- the analyzer 220 may also be part of the same computer program product as the parsing component 210 if implemented in software. Alternatively, the parsing component 210 and the analyzer 220 may be in different computer program products.
- a risk analyzer component 221 of the analyzer 220 identifies one or more risk factors associated with the identified command unit using the parsed code (act 320). This may be accomplished by accessing command data 231 (act 321), accessing a command entry associated with the command unit in the command data (act 322), accessing one or more risk factors from the command entry (act 323), and identifying the one or more risk factors as being the one or more risk factors associated with the identified command unit (act 324).
- the risk factors may include a general category of the command unit, a functional description of the command unit and/or a level of risk associated with the command unit.
- the analyzer 220 also includes a reporting component 222 for reporting an identification of the. command unit found in the interpretable code along with the identified associated one or more risk factors (act 330).
- the reporting component 222 may generate report 232 which may include for each command unit and identification 233 of the command unit as well as the risk factor(s) 234 associated with the command unit.
- the reporting component 222 may report a location in the interpretable code in which the command unit appears (act 331).
- Script foo.msh performs the following operations:
- Get-Process (occurs at lines: 55, 66, 88, 234) Get-Service (occurs at lines: 934, 1235, 392)
- the script was advertised as a script for managing processes and services.
- the process operations "Get- Process” and “Get-Service” appear appropriate and more likely harmless.
- a user would likely want to know why the script performs the file operation "Delete-File". Accordingly, the user could go to the specified locations of the script (e.g., lines 5234 and 3242) to see if the other context of the script provides any light to a decision on whether the delete file operation is harmful. For instance, if the operation is to delete a pre-existing configuration file in the system, then that presents a higher likelihood that execution of the script will indeed result in some harm. On the other hand, if the script merely deletes a temporary file that the script itself previously created, then there would seem to be less likelihood of there being a problem.
- Script foo.msh performs the following types of operations: Very dangerous
- Get-Process (occurs at lines: 55, 66, 88, 234) Get-Service (occurs at lines: 934, 1235, 392)
- the risk factors involve an actually preliminary estimate of the risk associated with the command.
- a user may arrive at a different final estimate of the risk after having reviewed the command in its context within the script.
- the principles of the present invention presents a more intuitive alternative than having the user review the script code itself in order to make an evaluation on whether or not there is acceptably low risk of harm in executing script.
- the user may instead simply review of more intuitive report that provides readable representations of risk factors associated with various commands provided in the script.
- the report may provide a representation of the location of the command in the script in case the user desires to perform a more detailed evaluation of the command's risk in light of the programming context.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Stored Programmes (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/339,397 US7802089B2 (en) | 2006-01-25 | 2006-01-25 | Analyzing interpretable code for harm potential |
PCT/US2006/049547 WO2007087073A1 (en) | 2006-01-25 | 2006-12-28 | Analyzing interpretable code for harm potential |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1977342A1 true EP1977342A1 (en) | 2008-10-08 |
EP1977342A4 EP1977342A4 (en) | 2009-05-27 |
Family
ID=38309542
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06848320A Withdrawn EP1977342A4 (en) | 2006-01-25 | 2006-12-28 | Analyzing interpretable code for harm potential |
Country Status (5)
Country | Link |
---|---|
US (1) | US7802089B2 (en) |
EP (1) | EP1977342A4 (en) |
KR (1) | KR20080096518A (en) |
CN (1) | CN101336432A (en) |
WO (1) | WO2007087073A1 (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8291377B2 (en) * | 2006-01-25 | 2012-10-16 | Microsoft Corporation | External configuration of processing content for script |
US8402547B2 (en) * | 2010-03-14 | 2013-03-19 | Virtual Forge GmbH | Apparatus and method for detecting, prioritizing and fixing security defects and compliance violations in SAP® ABAP™ code |
US10025688B2 (en) | 2010-03-14 | 2018-07-17 | Virtual Forge GmbH | System and method for detecting data extrusion in software applications |
US8701198B2 (en) * | 2010-08-10 | 2014-04-15 | Salesforce.Com, Inc. | Performing security analysis on a software application |
US9507940B2 (en) | 2010-08-10 | 2016-11-29 | Salesforce.Com, Inc. | Adapting a security tool for performing security analysis on a software application |
US8904541B2 (en) * | 2010-08-26 | 2014-12-02 | Salesforce.Com, Inc. | Performing security assessments in an online services system |
DE102012008988A1 (en) * | 2012-05-04 | 2013-11-07 | Giesecke & Devrient Gmbh | Portable disk |
KR101479516B1 (en) * | 2014-03-05 | 2015-01-07 | 소프트포럼 주식회사 | Source code security weakness detection apparatus and method |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5748964A (en) * | 1994-12-20 | 1998-05-05 | Sun Microsystems, Inc. | Bytecode program interpreter apparatus and method with pre-verification of data type restrictions |
US5983348A (en) * | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US7636945B2 (en) | 2000-07-14 | 2009-12-22 | Computer Associates Think, Inc. | Detection of polymorphic script language viruses by data driven lexical analysis |
US7069589B2 (en) | 2000-07-14 | 2006-06-27 | Computer Associates Think, Inc.. | Detection of a class of viral code |
US7234164B2 (en) | 2001-11-30 | 2007-06-19 | Computer Associates Think, Inc. | Method and system for blocking execution of malicious code |
US7437760B2 (en) * | 2002-10-10 | 2008-10-14 | International Business Machines Corporation | Antiviral network system |
TW200416542A (en) | 2003-02-26 | 2004-09-01 | Osaka Ind Promotion Org | Determination method of improper processing, data processing device, computer program and recording media (II) |
-
2006
- 2006-01-25 US US11/339,397 patent/US7802089B2/en active Active
- 2006-12-28 WO PCT/US2006/049547 patent/WO2007087073A1/en active Application Filing
- 2006-12-28 CN CNA2006800518476A patent/CN101336432A/en active Pending
- 2006-12-28 KR KR1020087018287A patent/KR20080096518A/en not_active Application Discontinuation
- 2006-12-28 EP EP06848320A patent/EP1977342A4/en not_active Withdrawn
Non-Patent Citations (3)
Title |
---|
"Flawfinder MAN page" 30 May 2004 (2004-05-30), , XP007908262 Retrieved from the Internet: URL:http://www.dwheeler.com/flawfinder/flawfinder.pdf> * the whole document * * |
DAVID EVANS ET AL.: "Splint Manual, Version 3.1.1.1-1" 5 June 2003 (2003-06-05), SECURE PROGRAMMING GROUP, UNIVERSITY OF VIRGINIA, DEPARTMENT OF COMPUTER SCIENCE , VIRGINIA, USA , XP007908263 Retrieved from the Internet: URL:http://www.splint.org/downloads/manual.pdf> [retrieved on 2009-04-20] * page 1 - page 7 * * page 9 - page 13 * * figures 2-14,16-21,24 * * page 57, paragraph 11.3 * * page 67, paragraph 14.3 * * page 99, line 34 - page 100, line 11 * * |
See also references of WO2007087073A1 * |
Also Published As
Publication number | Publication date |
---|---|
KR20080096518A (en) | 2008-10-30 |
CN101336432A (en) | 2008-12-31 |
US20070180531A1 (en) | 2007-08-02 |
EP1977342A4 (en) | 2009-05-27 |
US7802089B2 (en) | 2010-09-21 |
WO2007087073A1 (en) | 2007-08-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Huang et al. | Scalable and precise taint analysis for android | |
US7860842B2 (en) | Mechanism to detect and analyze SQL injection threats | |
US7802089B2 (en) | Analyzing interpretable code for harm potential | |
US8316448B2 (en) | Automatic filter generation and generalization | |
US6907396B1 (en) | Detecting computer viruses or malicious software by patching instructions into an emulator | |
US10509905B2 (en) | Ransomware mitigation system | |
US8869106B2 (en) | Language service provider management using application context | |
CN109873735B (en) | Performance test method and device for H5 page and computer equipment | |
US9047100B2 (en) | Abstract syntax tree transformation | |
CN111563015A (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
CN111538659B (en) | Interface testing method, system, electronic equipment and storage medium of business scene | |
CN111177113A (en) | Data migration method and device, computer equipment and storage medium | |
CN106326129A (en) | Program abnormity information generating method and device | |
CN110990346A (en) | File data processing method, device, equipment and storage medium based on block chain | |
US11868465B2 (en) | Binary image stack cookie protection | |
Alzaidi et al. | DroidRista: a highly precise static data flow analysis framework for android applications | |
US9064042B2 (en) | Instrumenting computer program code by merging template and target code methods | |
US9021389B1 (en) | Systems and methods for end-user initiated data-loss-prevention content analysis | |
CN110045952B (en) | Code calling method and device | |
US20130132930A1 (en) | Capturing telemetry data by dynamic language engine | |
CN108628909B (en) | Information pushing method and device | |
US20120174078A1 (en) | Smart cache for a server test environment in an application development tool | |
Lathar et al. | Stacy-static code analysis for enhanced vulnerability detection | |
CN111694729A (en) | Application testing method and device, electronic equipment and computer readable medium | |
US9998348B2 (en) | Monitoring a business transaction utilizing PHP engines |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20080708 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20090428 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: G06F 17/27 20060101AFI20070910BHEP Ipc: G06F 9/45 20060101ALI20090422BHEP Ipc: G06F 17/00 20060101ALI20090422BHEP |
|
17Q | First examination report despatched |
Effective date: 20090706 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20091117 |